The Web Application Hacker's Handbook

Dafydd Stuttard & Marcus Pinto

Abu Dhabi 2010 Training Session //Nov 8-9

Overview:

This course is taught by the authors of the "Web Application Hacker’s Handbook" which is the most deep and comprehensive general purpose guide to hacking web applications that is currently available. The book has a solid basis in the theory and practice of exploiting today’s enterprise web applications. This course is a practical opportunity to take the skills taught in the book to the next level, experimenting with all of the tools and techniques against numerous vulnerable web applications and labs, under the guidance of the book’s authors. The course also includes new material from the forthcoming second edition of the Handbook, bringing the book right up to date with the latest attacks.

The course concludes with a capture-the-flag contest. As an added bonus, a free web application will be provided to allow students to continue their learning after the course.

course syllabus:

The course syllabus follows the chapters of The Web Application Hacker’s Handbook, with strong focus on practical attacks and methods. After a short introduction to the subject we delve into common insecurities in logical order:

how to exploit ‘low-risk’ vulnerabilities such as ‘XSS’ and ‘Cross-Site Request Forgery’ attacks to achieve automated account compromise

how to turn theoretical attacks into practical exploits

the latest attack techniques which have been developed in recent months

and much more…

For more detailed information about the course’s practical structure, see the Web Application Hacker’s Methodology chapter from the book.

Course timeline:

This is a 2-day course.

teaching methods:

Brief theory delivered in lecture-style with examples

Interactive demonstrations

Hands-on Hacking: Interactively supported by the trainers

Capture the Flag

Student Requirements:

Students should ideally be familiar with using an intercepting proxy, and at minimum should be familiar with basic concepts such as the HTTP protocol, session management, and basic HTML.

What you should bring:

Students should bring a copy of the Web Application Hacker’s Handbook. A standard windows, Linux or Mac laptop should be brought with Java installed, capable of running Burp Suite

What you will get:

Printed handbook of the course slides and other reference material. Interactive web-based version of the WAHH methodology, supported by practical examples of each vulnerability type. A standalone web application which can be used to practice the techniques and attacks from the course.

Trainers:

Dafydd Stuttard is an independent security consultant, author and software developer. He has ten years’ experience in security consulting and specializes in the penetration testing of web applications and compiled software. He works with banks, retailers and other enterprises to help secure their critical applications.

Dafydd is author of The Web Application Hacker's Handbook and SQL Injection Attacks and Defense. Under the alias “PortSwigger” Dafydd created the popular Burp Suite of web application hacking tools. He has developed and presented training courses at security conferences around the world.

Marcus Pinto is internationally recognised as a leader in the application and database security field, having spent the last nine years in Information Security. His consulting experience has placed him in front of hundreds of clients and some of the most technical areas of security currently in commercial demand. He has delivered to some of the most high-profile audiences, including training CESG’s penetration testing team, heading up an internal UK Government security team, and advising banks on structuring their online banking applications.

Marcus is a technical advisor to CREST, and develops a certification set up to test the best application and infrastructure security consultants in the world.

Marcus currently works as Head of Application Security for a tech-focused company with over 2 million registered customers settling over 6 million real-time transactions per day.